A systemised risk management framework empowers you by granting the time and information necessary for you to act! Risk Management is a critical and continuous process and appropriate risk assessments should be undertaken, reviewed and managed proactively.

It is important to engage with the marketplace in terms of identifying the desired outcomes, risks and issues. This permits suppliers to provide feedback on how the outcomes might be achieved, the risks and issues as they see them, along with feedback on timescales, feasibility and affordability.

Risks and issues identified should be documented in a Risk & Issue Register. All risks and issues should have clear mitigating actions, appropriate owners and a review date. Risks and issues may be fed into a central risk register so that any overlap can be recognised and shared contextually across your engagements..

Risks & Issues

A risk can be defined as an uncertain outcome (either positive or negative) that may affect the course of a procurement exercise, engagement or contractual commitment at a future date.

An issue is a factor affecting the development or the implementation of the good/service strategy at the present time. Actions are therefore immediately put in place to resolve the issue due to its urgency.

All procurements will contain risks that may impact on their progress therefore it is important to identify and assess risks in the present so that the risk can be managed to prevent it from becoming an issue. A best practice is to pre-determine risks at a ‘type’ level i.e. for this type of supplier/procurement/contract we need to consider these risks. This automation removes the room for error and provides a clear reporting path on risks that haven’t been assessed.

Why is Risk Management Important?

Effective management of risk helps an organisation manage innovation and improve performance by contributing to:

  • Increased certainty and fewer surprises
  • Better service delivery
  • More effective management of change
  • More efficient use of resources
  • Better management at all levels through improved decision making
  • Reduced waste
  • Innovation
  • Management of contingent and maintenance activities

Risk Management Process

Risk management is a planned and systematic process consisting of four defined stages:

  • Identification: What are the risks?
  • Assessment: What is the likelihood of the risk occurring? How severe may the impact be?
  • Control: What can we do to reduce the impact of the risk?
  • Monitoring: Has the situation changed? Are there new risks emerging?

Risk Identification

The initial identification of risks and issues with the potential to impact on the objectives of a given procurement exercise is essential in terms of understanding.

Sources of risk can be divided into four categories:

  • Strategic/Corporate
  • Programme
  • Project
  • Operations

Many risks will be generic across all procurement exercises conducted by an organisation however there will also be project specific risks that you must consider.

Once risks are identified they should be documented in the risk register as detailed above.

Risk Assessment

The purpose of risk assessment is to assess the probability of risks occurring and their potential impact.

Probability (or likelihood):
The evaluated chance of a particular outcome actually happening (including a consideration of the frequency with which the outcome may arise).


The evaluated effect or result of a particular outcome actually happening (usually considered in terms of effect in cost, scheduling and quality).

The risk assessment can be assisted by using a risk probability framework.


Once risks have been identified and assessed they must be addressed and controlled. The response must be proportionate to the level of the risk that will have been determined as part of the risk assessment. For Risk Control you should consider each of the responses which are explained in more detail below.


Risks should only be tolerated if the result of their assessment is low or very low. The cost of taking an action may be disproportionate to the potential benefit gained. This does not mean no action should be taken at all. You should continue to monitor the risk and note any changes in the situation that may result in an increased level of risk.


The purpose of ‘treating’ a risk is to reduce the risk to an acceptable level for the organisation. It is likely that a large number of risks will belong to this category. There are many courses of action an organisation could take to ‘treat’ risks.


Consider who is best placed to manage the risk. It may be that the risk is best managed internally within your organisation. It is also possible that transferring risk to a supplier will result in a significant cost to your organisation and this should be considered before taking this course of action. Also remember that whilst you can transfer responsibility for an action, you cannot transfer accountability.

Review Strategy

In some circumstances it may be necessary to stop the current course of action and start over. You should consider that the reason a number of activities are conducted in the public sector is because the associated risks are so great that there is no other way in which the output or outcome, which is required for the public benefit, can be achieved.

When controlling risks at the contract management stage, cooperation and dialogue between a contract manager and supplier should be actively encouraged. If suppliers feel able to share information about potential problems at the earliest opportunity then small issues can be dealt with and not escalate.

Risk Monitoring

One of the most common approaches to monitoring risks is the use of a risk register. The risk register should be set up at the start of the project and reviewed at each stage of the procurement and contract management process. Risk monitoring should be a continuous process.

A risk register should contain the following information as a minimum:

  • Risk identification number
  • Risk Owner
  • Description of Risk
  • Results of assessment (Probability/Impact) and date of assessment
  • Mitigating Actions – what are you going do to address the risk
  • Date when the risks will next be reviewed

The ownership of risk must be clearly defined within the risk register and agreed with the individual owners. This will ensure understanding of roles, responsibilities and ultimate accountability. Individual owners should have the capability, authority and experience to deal with risk/s allocated to them.

In order to maintain a historical record of risks identified and mitigating actions taken, a new version of the risk register should be completed at each review stage.

Risk management frameworks will vary between vertical, business size and many other factors. Regardless of the level of risk management complexity, Portt aligns seamlessly to give you control, efficiency and certainty.